Logging User Activity
Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? With thanks Mike http://www.ishop.co.uk/ Build on-line. Buy online. The only UK based complete e-commerce package. Michael Parkinson BSc.(Hons) Technical Director Intellnet Limited 5 Priors London Road Bishops Stortford Herts CM23 5ED Phone : 01279 602800 DDI : 01279 602805 Fax : 01279 600815 Mobile : 07770 380511 ICQ No. : 47666166 E-mail : [EMAIL PROTECTED] [EMAIL PROTECTED] URL :http://www.intellnet.net.uk/ http://www.ishop.co.uk/
Re: Logging User Activity
On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are the users on the machine with shell accounts, X11 and the like, or passing through via ppp? There are different ways of doing things depending on the type of use, although the amount of detail specified for log files can usually cover some of what you want. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I dunno - the FBI and CIA probably wouldn't object to some more of that stuff gratuitously offered. Can anyone point me in the right direction? With thanks Mike http://www.ishop.co.uk/ Build on-line. Buy online. The only UK based complete e-commerce package. Michael Parkinson BSc.(Hons) Technical Director Intellnet Limited 5 Priors London Road Bishops Stortford Herts CM23 5ED Phone : 01279 602800 DDI : 01279 602805 Fax : 01279 600815 Mobile: 07770 380511 ICQ No. : 47666166 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] URL :http://www.intellnet.net.uk/ http://www.ishop.co.uk/ -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Logging User Activity
Am Mit, 2003-05-14 um 16.33 schrieb Michael Parkinson: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are you sure that this is not violating your users' privacy? But apart from political and legal issues - I suggest using the grsecurity kernel patch (www.grsecurity.org). You can put all users that you don't trust into a special audit group. Of course, you still have to come up with a solution for secure remote logging (syslog is not an option - some of your users could for example get the idea of sending fake logs of other users doing nasty things to the remote logging server...). Sebastian
Re: Logging User Activity
On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? Are you trying to log activity on machines or on the network? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Q: What's tiny and yellow and very, very, dangerous? A: A canary with the super-user password.
RE: Logging User Activity
Hi all! How about enabling 'BSD Process Accounting' in the kernel and installing the 'acct' package. This will give similar (or exact, haven't tried it myself) functionality as the OpenBSD accounting with 'accton' so that all user commands will be logged and then viewed with 'lastcomm'. .2 br, Christofer. -Original Message- From: Mark L. Kahnt [mailto:[EMAIL PROTECTED] Sent: den 14 maj 2003 17:45 To: debian-security@lists.debian.org Subject: Re: Logging User Activity On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are the users on the machine with shell accounts, X11 and the like, or passing through via ppp? There are different ways of doing things depending on the type of use, although the amount of detail specified for log files can usually cover some of what you want. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I dunno - the FBI and CIA probably wouldn't object to some more of that stuff gratuitously offered. Can anyone point me in the right direction? With thanks Mike http://www.ishop.co.uk/ Build on-line. Buy online. The only UK based complete e-commerce package. Michael Parkinson BSc.(Hons) Technical Director Intellnet Limited 5 Priors London Road Bishops Stortford Herts CM23 5ED Phone : 01279 602800 DDI : 01279 602805 Fax : 01279 600815 Mobile : 07770 380511 ICQ No. : 47666166 E-mail : [EMAIL PROTECTED] [EMAIL PROTECTED] URL :http://www.intellnet.net.uk/ http://www.ishop.co.uk/ -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED]
Re: Logging User Activity
Michael, Michael Parkinson [EMAIL PROTECTED] [2003-05-14 17:27]: I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? do you know already: http://www.debian.org/doc/manuals/securing-debian-howto ? wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? http://www.rawip.org |
Re: Logging User Activity
On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I missed the start of the thread, and apologize for not answering much. But could you point me at that package? A quick googling didn't show much obvious. I'd be extremely interested in looking at what that package is actually up to. I haven't heard much about this sort of thing going on in the open source world. -j -- Jamie Lawrence[EMAIL PROTECTED] Politics is the entertainment branch of industry. - Frank Zappa
Re: Logging User Activity
On Wed, May 14, 2003 at 06:26:16PM +0100, Michael Parkinson wrote: [ I wrote ] On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? Are you trying to log activity on machines or on the network? Hi Nathan, Logging over the network would be ideal but to the machine if that is all that is available. [ Let's keep this on the list, please ] Well, where you log to is up to you, but that wasn't my question :-) What activity are you trying to log? Activity on machines (user a ran this, consumed this much cpu time, etc.) or activity on the network (user b accessed this site, consumed this much bandwidth, etc.) ? The latter is far more difficult: how do you know that a packet was caused by user b's activity? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Exhilaration is that feeling you get just after a great idea hits you, and just before you realize what's wrong with it.
Re: Logging User Activity
On Wednesday 14 May 2003 10:23, Nathan E Norman wrote: On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. Can anyone point me in the right direction? Are you trying to log activity on machines or on the network?\ particularly good question ;) My suggestion would be to consider both. For network logging we can 'argue' about what sniffers/stream-assemblers/system-logging utils are the best so I won't get into it. I would simply use syslog-ng and have everything sent over a tunnel with a signature to avoid spoofing, this would only work if your 'network logging' util is capable of using syslog-ng to save logs. anyway, consider forcing the users to use a certain shell and have the shell log everything the users do a la keystroke granularity. A solution may be to separate your users using what Sebastian suggested grsecurity. Another solution would be to chroot all your users (but I generally think it's more of a pain and would simply piss off most of them). http://www.digitaloffense.net/chrsh/chrsh.c http://www.g0thead.com/chrsh-user-setup.txt -- -- Orlando Padilla http://www.g0thead.com/xbud.asc I only drink to make other people interesting --
Could sudo be an security issue?
Hi all, My manager just came in asking questions about sudo. We use sudo here as a replacement for hacing to know root passwords - in general there are around 5 of us who need root access to the machines we maintain. we typically have just fallen back to a ALL=ALL for ourselves so we can just prepend sudo to any command we need executed as root. Now in his mind this is removing a level of security. If someone manages to get my password, they also can gain access to root via sudo. IN an environment where I have 25+ machines, different passwords for all machines is not that workable. What are other peoples thoughts on this? Where have I gone wrong in implementation? What would be your recommendations in this case? Cheers, Stewart
Re: Could sudo be an security issue?
going back to root means that you do not know who did what. sudo gets logged, so you know who did what. that is way more important security wise than not running sudo and having 5 people use root wih no logging. the second hing is that if you did wan to limit people to certain commands you can. with out it you are forced to give them rot, and that means unlimited power. Stewart James wrote: Hi all, My manager just came in asking questions about sudo. We use sudo here as a replacement for hacing to know root passwords - in general there are around 5 of us who need root access to the machines we maintain. we typically have just fallen back to a ALL=ALL for ourselves so we can just prepend sudo to any command we need executed as root. Now in his mind this is removing a level of security. If someone manages to get my password, they also can gain access to root via sudo. IN an environment where I have 25+ machines, different passwords for all machines is not that workable. What are other peoples thoughts on this? Where have I gone wrong in implementation? What would be your recommendations in this case? Cheers, Stewart
Re: Could sudo be an security issue?
On Wednesday 14 May 2003 04:17 pm, Stewart James wrote: Hi all, Hello Stewart, My manager just came in asking questions about sudo. We use sudo here as a replacement for hacing to know root passwords - in general there are around 5 of us who need root access to the machines we maintain. we typically have just fallen back to a ALL=ALL for ourselves so we can just prepend sudo to any command we need executed as root. Now in his mind this is removing a level of security. If someone manages to get my password, they also can gain access to root via sudo. IN an environment where I have 25+ machines, different passwords for all machines is not that workable. What are other peoples thoughts on this? Where have I gone wrong in implementation? What would be your recommendations in this case? Well, as you probably guessed, this is a big can of worms. You are using sudo the same way I am, and I believe it's proper. Some people might consider this to be removing a 'layer' of security, sure - it essentially makes it so any admin's password is just as good as the root password, to an intruder. Think about a scenario in which this would actually make a difference. If someone has cracked any admin's password, on a normal /etc/shadow-based system, why couldn't they also crack root? Sure, perhaps one could be sniffed, but that would point to another problem involving a lack of encryption. One might argue that root should have a 'harder to crack' password, but I would reply that administrators should be equally protected. So, basically, if you would really trust the integrity of your current system after some intruder has stolen an administrator password, then yes, using sudo is probably a bad idea. Just go back to su, which has a seperate set of risks involving sharing the single root password. If you (or your manager) really want multi-layered theoretical security, you should be taking advantage of SE Linux or something similar. (Cue Russell Coker explaining how well it solves this problem ... :) ) Having a second password for root might be an 'additional layer of security,' but IMHO it's a pretty weak one. - Keegan
Re: Could sudo be an security issue?
Stewart == Stewart James [EMAIL PROTECTED] writes: [...] Stewart Now in his mind this is removing a level of security. If Stewart someone manages to get my password, they also can gain access Stewart to root via sudo. sudo uses PAM for authentication, so you can use one of the PAM modules (e.g. libpam-pwdfile or libpam-dotfile which is in unstable, but AFAIK not in stable) and set it up so that everyone can have different passwords for sudo. -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgplI9Oe3G4eM.pgp Description: PGP signature
Re: Could sudo be an security issue?
going back to root means that you do not know who did what. sudo gets logged, so you know who did what. that is way more important security wise than not running sudo and having 5 people use root wih no logging. the second hing is that if you did wan to limit people to certain commands you can. with out it you are forced to give them rot, and that means unlimited power. Basing on workarounds where i make some people work on different issues, and there issues need root privileges, i should not give them all, the root access via password, etc.. For five people workaround, it means five root people. This is of-course a big gap for security. sudo may be a solution, who did what can easily be checked via logs. This should not be a physical problem for an administrator to check logs and keep the maintainance! pgpqCA21YNwBx.pgp Description: PGP signature
Re: Could sudo be an security issue?
On Thu, May 15, 2003 at 09:17:03AM +1000, Stewart James wrote: Hi all, My manager just came in asking questions about sudo. We use sudo here as a replacement for hacing to know root passwords - in general there are around 5 of us who need root access to the machines we maintain. we typically have just fallen back to a ALL=ALL for ourselves so we can just prepend sudo to any command we need executed as root. I generally use sudo more as a safety cover on the root buttons than a guardian against root access. If an intruder has access an account from which you perform administrative tasks, you're already pretty well screwed, regardless of whether the malefactor has yet obtained the root password. Now in his mind this is removing a level of security. If someone manages to get my password, they also can gain access to root via sudo. IN an If someone gets your password, said person will likely be able to manipulate your account so as get root the next time you su. OTOH, if you do want the extra security blanket, you could tweak PAM to have sudo use a different password store or even an entirely different authentication scheme... environment where I have 25+ machines, different passwords for all machines is not that workable. Whether it's workable depends on how it's implemented. We assign all our machines ID numbers for inventory control purposes. To generate superuser passwords for our workstations, we hash the machine's number and a secret key. The procedure generates a sufficiently unique and random password for every machine. Every adminstrator gets a magic deocder ring^Wprogram that can calculate passwords. The password calculator obviously must be protected in the same manner that you'd protect sensitive encryption keys or hardware authentication tokens, as it's the key to your net. If you have different classes of machines and different classes of administrators, you can use more than one secret key to generate passwords. A tech who should only have administrative access to a group of user machines only gets the key used to generate their passwords. What are other peoples thoughts on this? Where have I gone wrong in implementation? What would be your recommendations in this case? -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \
Re: Could sudo be an security issue?
Keegan Quinn said on Wed, May 14, 2003 at 04:59:52PM -0700: Think about a scenario in which this would actually make a difference. If someone has cracked any admin's password, on a normal /etc/shadow-based system, why couldn't they also crack root? Sure, perhaps one could be sniffed, but that would point to another problem involving a lack of encryption. One might argue that root should have a 'harder to crack' password, but I would reply that administrators should be equally protected. In addition, most administrator's accounts are root equivilent anyway, due to group memberships, etc. For example, you may have a nightly cron that runs as root that's editable by the adm group, of which all admins are members. Getting root in that case is as simple as putting something in the cron that makes a suid shell binary somewhere. In short: I also think you're using sudo correctly, but you need to be aware that all of the admin accounts are probably root equivalent, even without sudo. M pgp0LHXicbiJx.pgp Description: PGP signature